PT-2024-23854

Name of the Vulnerable Software and Affected Versions WordPress versions 6.4.0 through 6.4.1 Description The issue allows for code execution via the destruct magic method of the WP HTML Token class when unserializing its instances. This issue was fixed in WordPress 6.4.2 on December 6th, 2023...

BIT-DRUPAL-2020-28948

ArchiveTar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked...

Design/Logic Flaw

The Formidable Forms WordPress plugin before 6.2 unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present...

CVE-2023-1405 Formidable Forms < 6.2 - Unauthenticated PHP Object Injection

The Formidable Forms WordPress plugin before 6.2 unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present...

CVE-2023-1405

CVE-2023-1405 affects the Formidable Forms WordPress plugin up to version 6.1.2. It arises from unserializing user input, enabling unauthenticated PHP Object Injection when a suitable gadget is present. Impact is HIGH (I:HIGH, A:NONE) with remote attacker access. Mitigation: upgrade to version 6....

CVE-2023-6049

The Estatik Real Estate Plugin WordPress plugin before 4.1.1 unserializes user input via some of its cookies, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget chain is present on the blog...

PT-2024-14864 · WordPress · Estatik Real Estate Plugin

Name of the Vulnerable Software and Affected Versions: Estatik Real Estate Plugin WordPress plugin versions prior to 4.1.1 Description: The issue allows unauthenticated users to perform PHP Object Injection when a suitable gadget chain is present on the blog, due to the plugin unserializing user...

Rencontre – Dating Site < 3.11.2 - Subscriber+ PHP Object Injection

Description The plugin unserializes user input, which could allow any authenticated users, such as subscribers to perform PHP Object Injection when a suitable gadget is present on the blog...

WP 6.4-6.4.1 - POP Chain

Description WP 6.4 introduced a PHP gadget chain. While the issue is not directly exploitable, it could be used along with a PHP unserialization for example in a plugin or theme installed on the blog to achieve RCE...

CVE-2023-5952

The Welcart e-Commerce WordPress plugin before 2.9.5 unserializes user input from cookies, which could allow unautehtniacted users to perform PHP Object Injection when a suitable gadget is present on the blog...

CVE-2023-5952

The Welcart e-Commerce WordPress plugin before 2.9.5 unserializes user input from cookies, which could allow unautehtniacted users to perform PHP Object Injection when a suitable gadget is present on the blog...

CVE-2023-5952

The CVE-2023-5952 entry concerns the Welcart e-Commerce WordPress plugin prior to version 2.9.5. Affected component/process: the plugin unserializes user input from cookies, enabling PHP Object Injection when a suitable gadget is present on the blog. Root cause: untrusted cookie deserialization i...

PT-2023-32440 · WordPress · Welcart E-Commerce

Name of the Vulnerable Software and Affected Versions: Welcart e-Commerce WordPress plugin versions prior to 2.9.5 Description: The issue allows unauthorized users to perform PHP Object Injection when a suitable gadget is present on the blog, due to the plugin unserializing user input from cookie...

CVE-2023-46817

An issue was discovered in phpFox before 4.8.14. The url request parameter passed to the /core/redirect route is not properly sanitized before being used in a call to the unserialize PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the...

CVE-2023-4643

The Enable Media Replace WordPress plugin before 4.1.3 unserializes user input via the Remove Background feature, which could allow Author+ users to perform PHP Object Injection when a suitable gadget is present on the blog...

CVE-2023-4643

CVE-2023-4643 affects the WordPress Enable Media Replace plugin prior to version 4.1.3. The vulnerability stems from the plugin unserializing user input via the Remove Background feature, which enables PHP Object Injection if a suitable gadget is present on the blog. Multiple sources (NVD/NVD-der...

CVE-2023-3392

The Read More & Accordion WordPress plugin before 3.2.7 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

CVE-2023-3392 Read More & Accordion < 3.2.7 - Admin+ PHP Object Injection

The Read More & Accordion WordPress plugin before 3.2.7 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

WordPress Customizer Export/Import Plugin < 0.9.5 PHP Object Injection Vulnerability

The WordPress plugin SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:wpbeaverbuilder:customizerexport%2fimport"; if description...

WordPress Customizer Export/Import Plugin < 0.9.6 PHP Object Injection Vulnerability

The WordPress plugin SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:wpbeaverbuilder:customizerexport%2fimport"; if description...